-
Notifications
You must be signed in to change notification settings - Fork 17.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
x/vuln/cmd/govulncheck: verbose mode shows redundant call stacks #56176
Comments
The ideal fix is to not show call stacks that are prefix of one another, where the prefix ends in a vulnerable symbol. |
This should in principle be solved at the level of vulndb. If a private symbol has derived symbols, then we should exclude the private symbol from the OSV entry. This will at least not produce redundant call stacks between exported and non-exported vulnerable symbols. See #56185 |
Change https://go.dev/cl/445078 mentions this issue: |
A call stack is unique if it does not go through other detected vulnerable symbols. Fixes golang/go#56176 Change-Id: Iea214f9a879610131910dbede7fa87012bb91fa3 Reviewed-on: https://go-review.googlesource.com/c/vuln/+/445078 Run-TryBot: Zvonimir Pavlinovic <zpavlinovic@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Jonathan Amsterdam <jba@google.com>
A call stack is unique if it does not go through other detected vulnerable symbols. Fixes golang/go#56176 Change-Id: Iea214f9a879610131910dbede7fa87012bb91fa3 Reviewed-on: https://go-review.googlesource.com/c/vuln/+/445078 Run-TryBot: Zvonimir Pavlinovic <zpavlinovic@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Jonathan Amsterdam <jba@google.com>
A call stack is unique if it does not go through other detected vulnerable symbols. Fixes golang/go#56176 Change-Id: Iea214f9a879610131910dbede7fa87012bb91fa3 Reviewed-on: https://go-review.googlesource.com/c/vuln/+/445078 Run-TryBot: Zvonimir Pavlinovic <zpavlinovic@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Jonathan Amsterdam <jba@google.com>
govulncheck shows redundant call stacks in verbose mode. The issue happens when the actual vulnerable symbol is a private function/method.
During vuln db report creation, we always also compute derived symbols, i.e., exported symbols of the offending package that lead to the actual vulnerable symbols. Generated OSVs will have both of these groups of symbols as vulnerable, making no distinction. govulncheck will then search and report them independently as it does not know any better. For instance, in the verbose output
govulncheck shows call stacks for vulnerable symbols
Server.ServeConn
andserverConn.canonicalHeader
. The latter one is redundant as it goes through the derived symbolServer.ServeConn
.@hyangah
The text was updated successfully, but these errors were encountered: